>Now is the time for financial institutions to future-proof against growing cyber risks.
>Financial-services companies around the world should consider not only what benefits new emerging technologies offer but also what risks they introduce.
>Cyber incidents are increasing in both frequency and severity year over year, and institutions must stay vigilant in their capabilities to defend themselves and protect their assets and finances against electronic crime.
>Majority of financial-services companies indicated that they are prioritising adoption of and investment in four of them – cloud and edge computing, applied AI, next-gen software development, and digital identity and trust architecture.
>Smaller companies with significantly less budget or ability to attract top security talent face even greater challenges.
Naushad K. Cherrayil
Dubai: As the technology landscape in the financial-services industry continues to evolve rapidly over the next three to five years and as the associated risks mount, now is the time to future-proof the environment, industry experts said.
“With an increasingly crowded and fast-moving technology landscape, companies are facing pressure to keep up. Financial institutions must not only grapple with how to best employ and protect their current technologies but also pay more and more attention to the growing field of emerging technologies that promise to strengthen their businesses—offering benefits such as increased automation, scalability, and cost savings,” Justin Greis, Partner at McKinsey & Company, said.
He said that financial-services companies around the world should consider not only what benefits new emerging technologies offer but also what risks they introduce.
To better understand how institutions are approaching and prioritising new technologies, the consulting firm surveyed companies around the world, in partnership with Institute of International Finance (IIF), about the applicability of ten emerging technologies to their businesses.
Martin Boer, senior director for regulatory affairs for the Institute of International Finance (IIF), said that emerging technologies can not only offer significant benefits but also exacerbate existing risks and introduce new cyber risks.
“Cyber risk management is nothing new to financial-services companies, but the importance of a robust, comprehensive strategy has never been more critical and will only increase as institutions expand their technological footprint.
“Cyberattacks continue to increase, and financial-services companies face well-funded, highly organised, and well-trained cyber criminals. These criminals are also adopting emerging technologies to aid in their attacks, including recent attacks utilizing gen AI as part of sophisticated phishing campaigns,” Boer said.
Cyber incidents are increasing in both frequency and severity year over year, and institutions must stay vigilant in their capabilities to defend themselves and protect their assets and finances against electronic crime.
According to the 2024 CrowdStrike global threat report, Electronic Crime (eCrime) continues to rise and led as the most pervasive threat in 2023. Data-theft extortion also continues to rise, and 2023 saw a 76 per cent increase in victims named on eCrime dedicated leak sites compared with 2022.
“As companies increase their use of technology, they are also increasing the number of avenues for a potential cyberattack by mature threat actors,” Boer said.
Of the emerging technologies included in the survey, a majority of financial-services companies indicated that they are prioritising adoption of and investment in four of them – cloud and edge computing, applied AI, next-gen software development, and digital identity and trust architecture.
Cloud and edge computing lead the list, with 84 per cent of respondents recognising their relevance to their businesses. Among those respondents, six in ten reported that more than 25 per cent of their workload now resides in the cloud.
This share will undoubtedly rise as cloud capabilities continue to evolve and as companies continue to transform their IT infrastructure through cloud migration and investment into cloud-native infrastructure—enticed by benefits such as flexibility, scalability, and cost efficiencies that are otherwise not offered by traditional and on-premise data centres.
Over 70 per cent of companies see their cloud adoption in the post-pilot stage, and 42 per cent consider their capabilities fully adopted and in the maintenance stage.
Trust architecture and digital identity are also advanced across many companies. Almost 50 per cent of the survey respondents put themselves in the post-pilot or maintenance stage of digital identity, and 70 per cent call trust architecture applicable to their businesses, with use cases regarding digital banking, omnichannel customer experience, a 360-degree view of customers, and digital-wallet offerings.
Reis said that all four technologies are likely to see quicker adoption than advanced connectivity, future mobility, immersive reality, quantum, machine learning, and Web3, due to their widespread applicability and maturity, as well as their proven, value-based use cases for financial-services companies.
The survey results reveal that financial-services companies are not exploring all the emerging technologies equally.
Instead, they are concentrating on those they perceive as most applicable to their organisations and likely to bring the most value, all while factoring in their current technological capabilities, their long-term business and tech strategies, and the potential regulatory impacts.
The research shows that current capabilities are falling short of addressing these risks. Most survey respondents also recognise the need to strengthen critical cybersecurity capabilities, including third-party or supply chain management and privileged access management (PAM).
As companies continue to increase their reliance on newer technologies, Soumya Banerjee, Associate Partner at McKinsey & Company, said that they [organisations] must ensure they have thought through and implemented the necessary risk management capabilities.
Otherwise, he said that they [organisations] may find the risks outweigh the benefits.
“In recent years, financial-services companies have evolved into technology-driven companies. This tech-centric approach is visible in the ways they are prioritising their investments; in addition to embracing software technologies, they are prioritising investments in scaling technology development, such as DevOps (software development and IT operations), and industrialising machine learning and AI,” Banerjee said.
Institutions are also weighing the current level of maturity of each technology in their plans; he said and added that considering the proven (and unproven) use cases that could add value to their businesses.
“The most applicable technologies were further along in their maturity journeys than some of those that were deemed less relevant.”
Unlike with cloud adoption, Lamont Atkins, Senior Advisor at McKinsey & Company, said that the maturity level of applied AI is still evolving.
While many financial-services companies recognise the relevance of applied AI, he said that most of their use cases remain in the early stages of development.
“Seventy per cent of the survey respondents reported being in the pilot stage or earlier. Some use cases such as financial-crime, financial-risk, and asset modeling are quite mature. Those that are in the early stages include gen AI and large language models.”
“Many institutions are still exploring their use in customer interaction support, personalised marketing, and fraud. These efforts offer companies the opportunity to gain a competitive advantage in the applied AI space before the technology is ready to be deployed. They can implement, for instance, proper oversight and responsible guardrails and controls for AI technology, thereby hastening its adoption for when it has sufficiently matured.”
However, Melanie Idler, Associate Policy Adviser for IIF, said that the four technologies that received the greatest attention from survey respondents introduces its own risks.
As financial institutions move their workloads to the cloud and as network boundaries disappear, he said that there’s an increased risk of exposure to threat actors and of nation-states gaining access to networks.
“Without proper management anchored in a robust cloud security strategy and strong security capabilities, companies face a multitude of cyber risks, including misconfigurations, data privacy breaches, and data loss.”
Moreover, he said that financial-services companies must rely upon their foundational cybersecurity capabilities to secure their technologies and protect their environments.
“Cybersecurity capabilities should be prioritised within the business as institutions continue to undergo technology transformations and recognise the benefits they bring with them. Without strong foundational security capabilities and controls within their cybersecurity programs, organizations will be exposed to risks brought on by their technology investments.”
Technologies that are popular today may change tomorrow, Lauren Craig, Engagement Manager at McKinsey & Company, said and added that as use cases develop and mature, companies are likely to continually reassess their applicability and investment priorities.
“The time for action to future-proof the environment is now. Our survey found that even leading institutions are falling short and that smaller companies with significantly less budget or ability to attract top security talent face even greater challenges,” she said.
Financial institutions should lay the “foundation for action” by asking themselves the following four questions about their pursuit of emerging technologies:
Do we have the right technology priorities, and are they aligned with our security capabilities? Expansion into newer technologies, such as the cloud and applied AI, usually means greater reliance on third-party services. Companies should reflect on their capabilities and the maturity of their security before introducing any technology. The third-party risk management capability warrants special attention.
Do we have the right metrics and reporting? Whether to satisfy regulators or to hold teams accountable, financial-services companies need transparent, value-based metrics for managing cyber risks. They can aid in monitoring performance, informing decisions, and identifying emerging issues for quick action. These metrics should measure cyber risk from an emerging-technology perspective and be reported appropriately to the right stakeholders, including board members and executives, lines of defense, and the risk management team.
Are we investing in the right things? Decisions on technology investments should take security capabilities, especially IAM capabilities, into account. The growing risk of security breaches and the looming need for regulatory compliance shine a spotlight on these capabilities.
Do we have the right talent and technology to close capability gaps? Every organization needs to invest in talent, but hiring and retaining the right talent is a challenge and calls for exploring other ways to fill the talent gap, such as utilising emerging technologies themselves, including AI.
Emerging technologies are grabbing lots of attention in the financial-services industry. Each brings cyber opportunities and risks. Most companies will have to build their cybersecurity capabilities to handle the risks. Today is the time to future-proof the environment, ensuring success for tomorrow.